The government of Kazakhstan has approved an action plan, on October 28, to implement the country's cybersecurity concept—"Cyber Shield"—by 2022 (Zakon.kz
, November 1). The document outlines key areas of state policy that will be required to build a modern yet reliable system to mitigate and prevent cyberattacks and threats from hybrid ("new type") warfare.
The amount of illegal online content reaching Kazakhstan has grown by a factor of 40 in the last three years (Kapital.kz
, September 4). Both government agencies and domestic financial institutions frequently suffer from cyberattacks. Ruslan Abdukalikov, the deputy chairman of the Committee on Information Security in the Ministry of Defense and Aerospace Industry, recently pointed out that the number of cyber threats to the state's electronic systems increases by 2–2.5 times every year (Inform.kz
, October 28).
As the country seeks to attract new technologies to encourage economic diversification, information and cybersecurity challenges have been growing as well. To reduce these vulnerabilities, Kazakhstani President Nursultan Nazarbayev instructed the government and the National Security Committee to develop the country's cybersecurity strategy, emphasizing "this is a matter of national security… In today's world, it is not necessary to fight using an aircraft or a tank." Rather, a computer virus can knock a power plant offline or paralyze the domestic railway network, he noted (Informburo.kz
, September 4).
Recent trends in cyber espionage and hybrid warfare have revealed the country's need to rethink its security policies, including in the cyber realm. The security services have contributed heavily to formulating a cybersecurity strategy for Kazakhstan. But the above-cited recently adopted action plan is notable because it introduces a comprehensive approach to build a "Cyber Shield" concept that will have multiple stakeholders, including businesses, the research community and the general population. Several important conclusions can be drawn based on the text of the action plan:
First, in the government's view, local software is preferable, but not yet available. As a result, the recently reorganized Ministry of Defense and Aerospace Industry is working to gradually overcome the country's reliance on proprietary information security software from abroad as well as foreign IT product certification. Policymakers in Kazakhstan have been discussing this particular issue for the last five years. As a first step in this direction, the Chamber of Entrepreneurs will create a national register of trusted software and IT products by July 2018 (Zakon.kz
, November 1).
Second, international cooperation is so far limited, but seen as important. In particular, international cooperation appears particularly necessary to allow Kazakhstan to attract new technologies and develop its domestic information and communications technology (ICT) sphere. In this regard, the Cyber Shield action plan lists two main priorities. The first is for the National Security Council to conclude memoranda of understanding (MoU) with international Computer Emergency Response Teams (CERT—agencies responsible for responding to cyberattacks). A second priority is for the Ministry of Foreign Affairs to expand Kazakhstan's participation in international organizations dealing with IT issues and cyber threats, namely the Forum of Incident Response and Security Teams (FIRST), the Organization of the Islamic Cooperation's collaborative forum of member country's Computer Emergency Response Teams (OIC-CERT), the Internet Corporation for Assigned Names and Numbers (ICANN) and the International Telecommunication Union (ITU), as well as the Collective Security Treaty Organization (CSTO), the Shanghai Cooperation Organization (SCO) and the Eurasian Economic Union (EEU). Broader cooperation with the ITU is of particular importance to Kazakhstan as the country has set an ambitious goal to significantly increase its rating in the ITU's Global Cybersecurity Index (GCI) from 0.352 to 0.600 by 2022 (Inalmaty.kz
, October 27).
Even though the document does not shed any light on which bilateral IT security agreements the government deems most important, clearly Russia will remain near the top of the list. Recently, Kazakhtelekom and the Russian firm Solar Security agreed to establish a joint center for monitoring and responding to cyber attacks (Informburo.kz
, April 27). Another opportunity for deeper Kazakhstani-Russian cooperation is the RusBITekh-owned Astra Linux operating system for small- and medium-sized businesses (Informburo.kz
, June 27). Negotiations are ongoing, although Astana is much more interested in new technologies, and Kazakhstani policymakers will almost certainly continue to address this particular issue.
Third, the Cyber Shield document defines several new institutions, but these require further clarification. According to the 2022 action plan, the Ministry of Defense and Aerospace Industry will establish a Council for Cybersecurity in March 2018 (Profit.kz
, November 7). Policymakers are also considering establishing a National Coordination Center for Information Security (Zakon.kz
, November 1). However, it is still unclear how the two proposed bodies will co-exist. Moreover, the country needs to create both national and sectoral operations centers for information security.
Fourth, education is crucial. According to the recently adopted cybersecurity concept document, Kazakhstan is seeking opportunities to use the Astana EXPO infrastructure to open a center for advanced training that will educate both government officials and the private sector on IT security issues. As the country has a severe shortage of skilled IT specialists, Kazakhstan needs to better attract and retain highly skilled professionals in this field (Caiss.expert
, August 8). Hence, the action plan proposes to increase the amount of scholarships for cyber-sector students and post-docs. And as of 2018, cybersecurity issues will become an integral part of the general curriculum in public schools. Interestingly, the Ministry of Defense and Aerospace Industry and not the Ministry of Education will be tasked with organizing and holding cyber hygiene training and awareness campaigns for the broader population.
Among other novelties of the cybersecurity concept are the planned creation of critical data backup storage for government information systems and an integrated information security portal to collect and analyze vulnerabilities in domestic IT networks. These projects will necessarily require extra funding and investments.
Kazakhstan has been working to integrate itself into the global information community at an impressive pace. And even though the just-adopted Cyber Shield concept sounds quite ambitious, it is necessary so that Astana will be able to minimize risks to the country in the cyber domain as well as strengthen its cybersecurity capabilities in the defense and security sector. In today's world, these are important prerequisites for any country seeking to navigate modern geopolitical challenges.